We performed a comparison between Synopsys Code Dx and Veracode based on our users’ reviews in four categories. After reading all of the collected data, you can find our conclusion below.
Comparison Result: Based on the parameters we compared, Veracode comes out ahead of Synopsys Code Dx. Although both products have valuable features and good technical support, our reviewers found that Synopsys Code Dx has higher false positive rates and less flexibility in licensing options.
"The customers were looking for something around static security and dynamic security, and in all those areas, they were looking for an industry leader with a proven solution. Synopsys is a Gartner leader, so I position this particular technology for the technical pre-sales part of it."
"What we found most valuable in Veracode is the ability to do automatic scans of our software. We've incorporated the solution into our SDLC process, so we take our builds before they get released and put them through scans to ensure any new vulnerabilities haven't occurred."
"We like the fact that all the issues are identified and that Veracode provides sufficient information on how to resolve them."
"Being able to scan our applications and identify all codes and defects is an extremely valuable feature."
"I like Veracode's static analysis. It was one of the core development tools when I worked with a telecommunication company where we were delivering new features for various applications and purposes each week, such as CRM, data channels, compliance, traffic data, etc."
"Ad-hoc scanning during the development cycle and reports for audits are valuable features."
"Code scanning is the most valuable feature."
"It is a good product for creating secure software. The static code analysis is pretty good and useful."
"The solution is a specialist in SAST that you can rely on. Code scanning is fast with current, updated algorithms."
"The initial setup is a bit challenging because things are not easy. It needs a lot of technology adaptability plus the customer's environment-specific use cases."
"The area with the most room for improvement is the speed and responsiveness of the query, as it is usually very slow."
"Sometimes Veracode gives us results about small glitches in the necessary packages. For example, we recently found issues with Veracode's native libraries for .NET 6 that were fixed in the next versions of those libraries. But sometimes you do not know which version of the library particular components are using. The downside of that is that one day, the solution found some issues in that library for the necessary package we spent. Another day, it found the same issues with another library. It will clearly state that this is the same stuff you've already analyzed. This creates some additional work, but it isn't significant. However, sometimes you see the same issue for two or three days in a row."
"The policies you have, where you can tune the findings you get, don't allow you not to file tickets about certain findings. It will always report the findings, even if you know you're not that concerned about a library writing to a system log, for example. It will keep raising them, even though you may have a ticket about it. The integration will keep updating the ticket every time the scan runs."
"There needs to be better API integration to the development team's pipeline, which is something that is missing and needs to be improved."
"One of the things that we have from a reporting point of view, is that we would love to see a graphical report. If you look through a report for something that has come back from Veracode, it takes a whole lot of time to just go through all the pages of the code to figure out exactly what it says. We know certain areas don’t have the greatest security features but those are usually minor and we don’t want to see those types of notifications."
"Searching for applications in Veracode is a little bit difficult. We have to minimize the length of an application's name to 47 characters. It would be good if this limit could be increased so that an application's name can be properly reflected in Veracode."
"The user interface could be more sleek. Some scanning requirements aren't flexible. Some features take some time for new users to understand (like what exactly "modules" are)."
"It would be nice if Veracode were bundled with some preferred vendors like Salesforce and offered at a discount."
Synopsys Code Dx is ranked 31st in Static Application Security Testing (SAST) with 1 review while Veracode is ranked 2nd in Static Application Security Testing (SAST) with 194 reviews. Synopsys Code Dx is rated 0.0, while Veracode is rated 8.2. The top reviewer of Synopsys Code Dx writes "Facilitates continuous assessment of applications, covering both static and dynamic security aspects". On the other hand, the top reviewer of Veracode writes "Helps to reduce false positives and prevent vulnerable code from entering production, but does not support incremental scanning ". Synopsys Code Dx is most compared with Checkmarx One, Coverity and SonarQube, whereas Veracode is most compared with SonarQube, Checkmarx One, Fortify on Demand, Snyk and OWASP Zap.
See our list of best Static Application Security Testing (SAST) vendors.
We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.